How does the cloud and SaaS affect business continuity planning?

/ IT Consultancy
August 10th, 2010

Cloud - Considering business continuity planning in relation to cloud and SaaS

I regularly receive questions in relation to cloud and Software as a Service (SaaS), and how it affects Business Continuity plans. So I have compiled these into a blog article. The areas covered are a good starting point if you’re looking into your disaster recovery/business continuity plans in relation to cloud or SaaS.

How can cloud, or SaaS, affect business continuity plans?

When it comes to planning a business continuity strategy, many businesses will see (SaaS) as the answer to their prayers. Often because they will believe – or will be told by a salesperson – that they can now ignore business continuity in relation to the SaaS solution they have purchased. Unfortunately, it’s often an “out of sight, out of mind” scenario; you’d be surprised how many buyers will simply accept a salesperson’s promise. This is obviously completely negligent and puts a business at risk.

As an example, one particular company is currently migrating to our services after its systems went down for a full working day due to an air conditioning failure at its current supplier’s ‘data centre’ – which meant that staff had to open the windows! I can’t think of any calibre of data centre where the air-conditioning could fail. Let alone one that has windows that can be opened to cool it!

Typically, assuming that you choose a reputable business to deliver SaaS, the company will build its systems to a much greater level of resilience than many businesses could ever build internally. At the end of the day, its whole business depends on the service provided, and even small outages can deeply damage its reputation and revenue, let alone the reputation and revenue of its customer base. In the majority of cases, as long as you choose a solid SaaS solution, your business will be much more resilient to failure, and it will also strengthen your business continuity plans.

How should you evaluate your existing business continuity plan when moving to cloud computing / SaaS?

You must include any major third-party supplier within your plans when moving to cloud computing. Some areas you need to cover are:

  • You need to ensure that the provider’s plans fit your requirements for availability and return to service – so look at the service level agreements.
  • You need to plan for your provider to potentially stop trading for a set amount of time and permanently.
  • What happens if the provider is bought out and the new owner wishes to cease the service?
  • Know how you will you get your data out of the provider in a disaster situation, and how you will be able to access your data. For example, your entire CRM or ERP exported in Excel format may be useful for the short-term.
  • Ask for detail on their infrastructure and evaluate it as your own.
  • Check the provider’s indemnity.
  • Check support availability. Some SaaS providers may only run support services during US working hours and you’ll want a heavy UK focus.
  • Think about systems integration. Undertake an in-depth analysis identify which internal systems and services interface with the SaaS solution and how a disaster will affect them.

Evaluate your provider as if they are part of your own operation. They hold your data so, in effect, an element of your business is outsourced to them. Be sure and comfortable, know how you will get your business operational if your cloud / SaaS provider suffers a disaster.

Also, think about the below:

  • It is important to re-evaluate areas that perhaps don’t need to be as resilient internally due to the SaaS solution. This may deliver cost savings:  for example 24×7 support, redundant hardware, network support.
  • If there’s a transport strike or snow storm and staff are working remotely from home, how are you going to be sure that any communication into your SaaS service is secure? As a business, are you willing to take that risk?  Or will you build an IT solution that will protect your company’s data and communications on unsecured PCs and laptops?

Does cloud computing / SaaS make it easier to carry on in the event of an incident?

Using a SaaS solution could make it easier for an organisation to continue operating if its business suffers a disaster from a technical / systems availability standpoint.

If it is your business that suffers the disaster, then disaster recovery/business continuity plans for that application/service aren’t directly your problem. Your SaaS services should keep on running automatically. It’s very likely that you can build a solution that will allow your staff can access your system remotely through their home internet connection or from your disaster recovery site.

Traditionally, if a multi-site business were to lose service at the main HQ (where the internal server rooms/data centres are based), then it would be dead in the water. However, with SaaS solutions, this may no longer be a problem. Satellite offices solutions can continue to run and even operate much of the main HQ’s function.

What questions should you be asking cloud computing or SaaS vendors with respect to their own business continuity plans?

The key questions any business should be asking cloud computing vendors with regard to business continuity plans  include:

  • Can I see the business continuity plans, at least on a broad level? It’s unlikely that you’ll be able to see a full business continuity plan since they are business sensitive by their very nature;
  • What would happen if the data centre your systems/data sits in was hit by a jumbo jet? Ask them to explain.
  • Ask how they will manage the people side of the business and their 3rd party suppliers in the event of a disaster.
  • How do they guarantee services such as the connectivity and power into its data centres when a disaster strikes?
  • How do they deal with hardware failure? What are their contracts for fix? Do they carry spare equipment? What resilience is built-in?
  • Does the vendor replicate all of your data?  And if so, to what location? Is it in the same city, county or country? From a security standpoint, you would expect it to be across multiple cities.
  • Who are your provider’s other clients? Are their business activities similar to yours?
  • Can you see your vendor’s data centre specifications?
  • What are their downtime figures within the last 18 months?
  • How often they do a full disaster recovery test and can you see the last report?
  • Ask your provider how you will be able to get your data out?
    • Some SaaS providers may allow you to back up your data out of their platform and into your own premises. This may incur additional charges, but you’ll need to balance that against your level of comfort.